From bdfef97e49f17c74158084e10e7d0121cc70dd42 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 17 Sep 2013 19:11:39 +0200
Subject: openvpn should use /usr/local/share/ca-certificates/leap_ca.crt
 (Feature #3831)

---
 puppet/modules/site_config/manifests/params.pp         | 5 +++--
 puppet/modules/site_config/manifests/x509.pp           | 5 +++++
 puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++---
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index a4657457..b434af90 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -23,6 +23,7 @@ class site_config::params {
     fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json")
   }
 
-  $ca_name   = 'leap_ca'
-  $cert_name = 'leap'
+  $ca_name          = 'leap_ca'
+  $ca_bundle_name   = 'leap_ca_bundle'
+  $cert_name        = 'leap'
 }
diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp
index 879285dd..2660c523 100644
--- a/puppet/modules/site_config/manifests/x509.pp
+++ b/puppet/modules/site_config/manifests/x509.pp
@@ -4,6 +4,7 @@ class site_config::x509 {
   $key       = $x509['key']
   $cert      = $x509['cert']
   $ca        = $x509['ca_cert']
+  $client_ca = $x509['client_ca_cert']
 
   x509::key { $site_config::params::cert_name:
     content => $key
@@ -16,4 +17,8 @@ class site_config::x509 {
   x509::ca { $site_config::params::ca_name:
     content => $ca
   }
+
+  x509::ca { $site_config::params::ca_bundle_name:
+    content => "${ca}${client_ca}"
+  }
 }
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 5ba9812f..befeaef7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -80,15 +80,15 @@ define site_openvpn::server_config(
   openvpn::option {
     "ca ${openvpn_configname}":
         key     => 'ca',
-        value   => '/etc/openvpn/ca_bundle.pem',
+        value   => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
         server  => $openvpn_configname;
     "cert ${openvpn_configname}":
         key     => 'cert',
-        value   => '/etc/x509/certs/leap_openvpn.crt',
+        value   => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
         server  => $openvpn_configname;
     "key ${openvpn_configname}":
         key     => 'key',
-        value   => '/etc/x509/keys/leap_openvpn.key',
+        value   => "${x509::variables::keys}/${site_config::params::cert_name}.key",
         server  => $openvpn_configname;
     "dh ${openvpn_configname}":
         key     => 'dh',
-- 
cgit v1.2.3


From 3decab555397f01e757a0b8a1a5af3648cf49bd0 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 18 Sep 2013 16:42:24 +0200
Subject: Include content of client_ca.crt and client_ca.key in hiera (Feature
 #3874)

---
 provider_base/services/mx.json     | 4 ++--
 provider_base/services/webapp.json | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 25ccf4f0..f999dd23 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -12,8 +12,8 @@
   "x509": {
     "use": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file_path :client_ca_cert",
-    "client_ca_key": "= file_path :client_ca_key",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
     "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index ee61e5ab..e47f047b 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -45,8 +45,8 @@
   "x509": {
     "use": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file_path :client_ca_cert",
-    "client_ca_key": "= file_path :client_ca_key",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
     "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
-- 
cgit v1.2.3


From 869b9e26475180d41513d036a0600ee433da1b77 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 18 Sep 2013 16:50:15 +0200
Subject: deploy client_ca (#3833)

---
 puppet/modules/site_config/manifests/params.pp | 1 +
 puppet/modules/site_config/manifests/x509.pp   | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index b434af90..008a4e1f 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -24,6 +24,7 @@ class site_config::params {
   }
 
   $ca_name          = 'leap_ca'
+  $client_ca_name   = 'leap_client_ca'
   $ca_bundle_name   = 'leap_ca_bundle'
   $cert_name        = 'leap'
 }
diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp
index 2660c523..8eca97e7 100644
--- a/puppet/modules/site_config/manifests/x509.pp
+++ b/puppet/modules/site_config/manifests/x509.pp
@@ -18,6 +18,10 @@ class site_config::x509 {
     content => $ca
   }
 
+  x509::ca { $site_config::params::client_ca_name:
+    content => $client_ca
+  }
+
   x509::ca { $site_config::params::ca_bundle_name:
     content => "${ca}${client_ca}"
   }
-- 
cgit v1.2.3


From 1f9003eb6ed90400279011d477e6143e2eb6e2db Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Wed, 18 Sep 2013 16:50:59 +0200
Subject: use x509 for postfix ca and fix names for cert+key (Feature #3833)

---
 puppet/modules/site_postfix/manifests/mx.pp     |  3 +--
 puppet/modules/site_postfix/manifests/mx/tls.pp | 20 ++++----------------
 2 files changed, 5 insertions(+), 18 deletions(-)

diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2d8f3db5..4a7d66ed 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -44,7 +44,6 @@ submission inet n        -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
   -o smtpd_helo_restrictions=\$submission_helo_restrictions",
-    require             => [
-      X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ]
+    require             => Class['Site_config::X509']
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
index 8c9da9db..34df72bb 100644
--- a/puppet/modules/site_postfix/manifests/mx/tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -1,26 +1,14 @@
 class site_postfix::mx::tls {
 
-  $x509                = hiera('x509')
-  $key                 = $x509['key']
-  $cert                = $x509['cert']
-  $client_ca           = $x509['client_ca_cert']
-
   include x509::variables
-  $cert_name = hiera('name')
-  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
-  $key_path  = "${x509::variables::keys}/${cert_name}.key"
-
-  x509::key { $cert_name:
-    content => $key,
-  }
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
 
-  x509::cert { $cert_name:
-    content => $cert,
-  }
 
   postfix::config {
     'smtpd_use_tls':        value  => 'yes';
-    'smtpd_tls_CAfile':     value  => $client_ca;
+    'smtpd_tls_CAfile':     value  => $ca_path;
     'smtpd_tls_cert_file':  value  => $cert_path;
     'smtpd_tls_key_file':   value  => $key_path;
     'smtpd_tls_ask_ccert':  value  => 'yes';
-- 
cgit v1.2.3